Fixed granular user permission checking in GenericEntityApiController (fixes #2025)

2025-04-29 01:32:38 +00:00 · 2022-10-17 21:00:10 +02:00 · 2022-10-17 21:00:10 +02:00 · 3070448555
commit 3070448555
parent 80a873da3e
3 changed files with 64 additions and 10 deletions
--- a/changelog/69_UNRELEASED_xxxx-xx-xx.md
+++ b/changelog/69_UNRELEASED_xxxx-xx-xx.md
@ -61,6 +61,7 @@
 - It's now possible to edit a user without necessarily updating the users password
 - Fixed that when running label printer WebHooks client side (so when `LABEL_PRINTER_RUN_SERVER` = `false`), the setting `LABEL_PRINTER_HOOK_JSON` was ignored (the WebHook data was always sent as form data)
 - Fixed that granular user permissions (like "Shopping list / Add items" or "Equipment") didn't allow to add/edit the corresponding items without also having the "Edit master data" permission
 - New translations: (thanks all the translators)
  - Lithuanian (demo available at <https://lt.demo.grocy.info>)
  - Ukrainian (demo available at <https://uk.demo.grocy.info>)
--- a/controllers/GenericEntityApiController.php
+++ b/controllers/GenericEntityApiController.php
@ -9,7 +9,26 @@ class GenericEntityApiController extends BaseApiController
 {
 	public function AddObject(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
+		if ($args['entity'] == 'shopping_list' || $args['entity'] == 'shopping_lists')
 		{
 			User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_ADD);
 		}
 		elseif ($args['entity'] == 'recipes' || $args['entity'] == 'recipes_pos' || $args['entity'] == 'recipes_nestings')
 		{
 			User::checkPermission($request, User::PERMISSION_RECIPES);
 		}
 		elseif ($args['entity'] == 'meal_plan')
 		{
 			User::checkPermission($request, User::PERMISSION_RECIPES_MEALPLAN);
 		}
 		elseif ($args['entity'] == 'equipment')
 		{
 			User::checkPermission($request, User::PERMISSION_EQUIPMENT);
 		}
 		else
 		{
 			User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
 		}
 		if ($this->IsValidExposedEntity($args['entity']) && !$this->IsEntityWithNoEdit($args['entity']))
 		{
@ -48,7 +67,26 @@ class GenericEntityApiController extends BaseApiController
 	public function DeleteObject(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
+		if ($args['entity'] == 'shopping_list' || $args['entity'] == 'shopping_lists')
 		{
 			User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_DELETE);
 		}
 		elseif ($args['entity'] == 'recipes' || $args['entity'] == 'recipes_pos' || $args['entity'] == 'recipes_nestings')
 		{
 			User::checkPermission($request, User::PERMISSION_RECIPES);
 		}
 		elseif ($args['entity'] == 'meal_plan')
 		{
 			User::checkPermission($request, User::PERMISSION_RECIPES_MEALPLAN);
 		}
 		elseif ($args['entity'] == 'equipment')
 		{
 			User::checkPermission($request, User::PERMISSION_EQUIPMENT);
 		}
 		else
 		{
 			User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
 		}
 		if ($this->IsValidExposedEntity($args['entity']) && !$this->IsEntityWithNoDelete($args['entity']))
 		{
@ -76,7 +114,26 @@ class GenericEntityApiController extends BaseApiController
 	public function EditObject(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
 	{
-		User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
+		if ($args['entity'] == 'shopping_list' || $args['entity'] == 'shopping_lists')
 		{
 			User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_ADD);
 		}
 		elseif ($args['entity'] == 'recipes' || $args['entity'] == 'recipes_pos' || $args['entity'] == 'recipes_nestings')
 		{
 			User::checkPermission($request, User::PERMISSION_RECIPES);
 		}
 		elseif ($args['entity'] == 'meal_plan')
 		{
 			User::checkPermission($request, User::PERMISSION_RECIPES_MEALPLAN);
 		}
 		elseif ($args['entity'] == 'equipment')
 		{
 			User::checkPermission($request, User::PERMISSION_EQUIPMENT);
 		}
 		else
 		{
 			User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
 		}
 		if ($this->IsValidExposedEntity($args['entity']) && !$this->IsEntityWithNoEdit($args['entity']))
 		{
--- a/controllers/Users/User.php
+++ b/controllers/Users/User.php
@ -83,16 +83,12 @@ class User
 		return $user->getPermissionList();
 	}
-	public static function checkPermission($request, string ...$permissions): void
+	public static function checkPermission($request, string $permission): void
 	{
 		$user = new self();
-
+		if (!$user->hasPermission($permission))
 		foreach ($permissions as $permission)
 		{
-			if (!$user->hasPermission($permission))
+			throw new PermissionMissingException($request, $permission);
 			{
 				throw new PermissionMissingException($request, $permission);
 			}
 		}
 	}